Modeling Systemic Dependencies through Attack Surface Analysiseoster/doc/2013-04-26-Sys-Deps.pdf ·...
Transcript of Modeling Systemic Dependencies through Attack Surface Analysiseoster/doc/2013-04-26-Sys-Deps.pdf ·...
Modeling Systemic Dependencies through Attack Surface Analysis!
Eric Osterweil!Danny McPherson!Lixia Zhang!
2 !Verisign Public !
• Well, do we know what our Internet services rely on? !• Are their foundations secure and reliable? !
• We’ve become very good at using the Internet to make our lives easier!• I can use one tweet to tell 50 million people that I just spilled
my coffee on Emma Stone at Starbucks!
• Our Internet services depend on networked systems, they are becoming increasingly layered and complex!
• Ultimately, what are we paying for these conveniences?!
What’s so important about systemic dependencies and attack surfaces?!
3 !Verisign Public !
What networked systems do I need to tweet to 50 million followers?!
Tweet
Desktop PC
Desktop PC
Desktop PC
Just splld coffee on @EmmaStonë #fail!
4 !Verisign Public !
• What is the relationship between dependent systems?!• We aim to map out what we gain, and what do we pay!
• But the application is so much broader: what systems do national critical infrastructures rely on?!• DNS resolution for the Estonian government? Routing for
Cairo? Cross modal threats from China? SCADA systems?!
• Our engineering precepts tell us to build systems on top of other systems!• But, does it make us more vulnerable to attacks, failures, etc.?!
• Is there a difference between vulnerability and availability?!
Systemic Dependencies!
5 !Verisign Public !
• Lots of ways to describe vulnerabilities, taxonomize attack vectors, etc.!
• We can’t always enumerate all of the attacks a priori!• They’re often only discovered reactively!
• We turn to attack surface ::= what could feasibly be used to attack a system’s correct operation!• If I keep my attack surface small, I reduce my exposure!• Quantifying targets and their values are different problems!• But, a quantifiable definition is elusive!
• We will quantify the attack surface of HTTPS using X.509 CA verification and compare it to HTTPS+DANE!
Measuring Vulnerability!
6 !Verisign Public !
• X.509 CA verification and DANE verification!• Attack surface methodology!• Measuring the Alexa top 1,000!• Discussion and future work!
Outline!
7 !Verisign Public !
!!• Protocols like Transport Layer Security (TLS) need to
be bootstrapped by cryptographic keys!• Servers offer certificates and clients must verify authenticity!
• CA verification uses a set of globally trusted authorities who can each vouch for any certificate’s authenticity!• Certificates represent previous verification: contain signatures
from CAs, and point to revocation points for status checks!
Certificatation Authority (CA) Verification!
CA List
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
8 !Verisign Public !
• The systemic dependencies are:!• We first need to resolve its domain name (i.e. use DNS)!• Next we connect to a webserver that we found from DNS!• Then we pull an X.509 certificate down from that webserver!• With that, we use a list of pre-bundled CA certificates that we
have pre-configured to verify the webserver’s certificate!• Then we check to make sure the certificate was not revoked
since being issued!• Finally, we exchange a TLS session key with the webserver,
and start our online experience!• During this process, the attack surface includes any
resource that could feasibly enable an attack!• Possibly, a DNS secondary could give us a bogus answer that
directed us to a malicious web site, or DigiNotar could have verified a bogus certificate, etc.!
So, when we go to Facebook…!
9 !Verisign Public !
• DNS-Based Authentication of Named Entities (DANE)!• IETF working group, and standards track RFC for TLS!
• Observation: since even CA verification is frontloaded by DNS, why not do verification there too?!• Rather than the multi-rooted X.509 hierarchies, DANE uses
DNSSEC for verification!• DNS zones have TLSA record(s) that uniquely
authorize cert used by web servers!
DANE verification process!
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
10 !Verisign Public !
• Qualitatively, a picture is worth 1,000 words: we can see that the attack surface is reduced!
• By cutting out our CA check and revocation checks, we removed a lot of moving parts!
Look at what we just cut out…!
CA List
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
11 !Verisign Public !
• Qualitatively, we can see that DANE’s attack surface is smaller, but…!• Talk is cheap, how can we quantify it?!
• We use the measure of systems’ systemic dependencies to quantify their attack surfaces!• Added complexity and moving parts, increases attack surface!• If a system needs n resources for ``correct operation,’’ and its
complexity increases this to n+m, its attack surface is greater!• But, we need a way to systematically decompose systems into
the resources they need…!
• Our methodology starts by identifying the logical procedural steps (processes) needed in Functional Process Digraphs (FPDs)!
• Then, we map each process to the resources it needs, and those resources are the actual attack surface!
Attack Surface Methodology!
12 !Verisign Public !
• Identifying all of the resources needed by networked systems can be non-trivial!
• To identify what resources a networked system uses, we start by identifying the logical processes it uses!
• FPDs are a way to codify networked systems!• Every logical step/procedure becomes a process in the FPD!
• Then, we look deeper at each process node and decompose it into a high-level workflow!• Workflows don’t fully
describe all of the processes’ inner-workings, but focuson how they access resources!
Functional Process Digraphs (FPDs)!
CA List
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
13 !Verisign Public !
• Imagine a networked system that first required (say) a domain name resolution, and then connected to a remote system to search for a file!
• Below we might see the DNS process checking and processing, followed by a server process searching for a file!
!
• In creating an FPD, we must avoid the temptation to recursively codify processes the invoke processes beyond the semantic scope the networked system!
• For example, it may not be semantically useful to identify the process of electrons interacting with copper atoms!
Example FPD!
Decision
processYes
No
processDecision
process
process
process
Stop
Stop
Start
Start
14 !Verisign Public !
CA List
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
OCSPservers
CRLservers
4 - CheckCert
CheckCA Rev
CheckCA Rev
CA verification FPDCA!
Start
Use poDNS
DNSSEC
Use DNSSEC
object security
Download cert
Check ANY CA verifies
cert
EEcert has
revocation info
Site has DNSSEC
Use poDNS
Use DNSSEC object security
Contact Server(s) for revocation info
Stop
YesNoYes No
No
Yes
DNS Resolution
Connect to web server on port 443
WWW / TCP
Web Server Cert
CAs
OCSP/CRL DNSFootprint
TLSEstablish
session key(s)
OCSP/CRLServer(s)
Note: DNSSEC!is optional!
15 !Verisign Public !
• Domain name lookups!• This could be plain old DNS (poDNS) or DNSSEC!
• Connection over a network path to a webserver!• An X.509 certificate (from that webserver)!
• Could require a chain of certificates!• The list of CA certificates in the client browser!• Domain name lookups for each revocation point!
• CRL domain names and/or OCSP domain names!• Connection over a network path to a revocation point!• A TLS session key!
CA verification requires…!
16 !Verisign Public !
DNSSEC
root
example.com
.com
1 - Resolvinghttps://www.example.com
Web Server
2 - DNSresponse
3 - HTTPS
Client
DANE verification FPDDANE!
Start
Use DNSSEC
object security
Download cert
DNS Resolution
Connect to web server on port 443
WWW / TCP
Stop
Establish session key(s)
TLS
Web Server Cert
Note: DNSSEC!is mandatory!
17 !Verisign Public !
• Domain name lookups!• DANE requires DNSSEC!
• Connection over a network path to a webserver!• An X.509 certificate (from that webserver)!• A TLS session key!
DANE verification requires…!
18 !Verisign Public !
• We can visibly see one system’s FPD is different than the other, but this is not quantitatively measurable!• FPDs help us codify the control flow of networked systems!• This helps us isolate their decision processes!• This helps us focus on what resources are used!• That helps us transform FPDs into resource graphs!• Finally, these graphs form our attack surfaces!
• The resources that each process uses inherit the same graphical relationships that they have in the FPD!
• We chose a candidate set of classification types of resources that processes use!• Network-Delivery Assurances, Session-Level Security, and
Object-Level Security!
Turning FPDs into something more meaningful!
19 !Verisign Public !
Network-Delivery Assurances
Object-Level Security
Session-Level Security
DNSResolution
WWW/TCP
WebCert CAs
OCSP/CRL
DNS Footprint
TLS
OCSP/CRLServer(s)
CA Verification’s Attack Surface!
20 !Verisign Public !
Network-Delivery Assurances
Object-Level Security
Session-Level Security
WWW/TCP
WebCert
TLS
DNSSECResolution SLD
TLDroot
DANE’s Attack Surface!
21 !Verisign Public !
• These graphs offer us several novel facilities!• We can quantify the sizes of each resource node!• We have a formal dependency/relationship between
fundamentally different types of resources (certs can be related to IP servers)!
• We can observe resource footprint changes from protocol decisions (re: DNSSEC)!
• Consider this last point: note that DANE’s requirement of DNSSEC moves the DNS portion of its attack surface out of the Network-Delivery Assurances tier, and into the Object-Level Security tier!• This is a fundamental change!!• In DNSSEC, secondary servers cannot successfully lie!!
Modeling resource element graphs!
22 !Verisign Public !
• In DNS, zones depend on name servers, and those name servers can depend on other zones!• This recursive dependency can lead to large graphs!• The transitive trust graph of the IPv4 and IPv6 name servers
of (for example) internetsociety.org are 119 and 85 nodes, respectively!
• But, because DANE requires DNSSEC, these graphs are reduced to just the DNSKEYs in the chain of trust!
Transitive trust graph sizes!
23 !Verisign Public !
• We crawled the Alexa top 1,000 sites!• We examined:!
• How many ran HTTPS on their main site!• How many ran HTTPS on www.<their-site>!• How many had different certificates on <their-site> and
www.<their-site>!• From this, and the certificates we calculated the attack
surface for each of them!• Then, we calculated what their attack surfaces would
be if:!• They deployed DNSSEC!• They deployed DNSSEC + DANE!
Evaluation!
24 !Verisign Public !
• The CA verification process requires us to calculate how large the CA set is!
• However, this is client-vendor specific!
• We can see that the list size can vary, so we evaluated using Mozilla’s size: 169!
CA list size!
Number of CAs! RP software!169! Mozilla!167! Windows!167! Apple’s iOS 5!92! Apple’s iOS 3!
25 !Verisign Public !
CA delegation chains!
26 !Verisign Public !
Revocation details (from CRL/OCSP URIs)!
27 !Verisign Public !
Network-Delivery Assurances
Object-Level Security
Session-Level Security
DNSResolution
WWW/TCP
WebCert CAs
OCSP/CRL
DNS Footprint
TLS
OCSP/CRLServer(s)
CA Verification’s Attack Surface!
28 !Verisign Public !
Quantitatively comparing these two systems!
29 !Verisign Public !
Non-log scale (just DNSSEC and DANE)!
30 !Verisign Public !
• Almost no sites in the Alexa top 1,000 had DNSSEC deployed!• Just deploying DNSSEC reduced attack surfaces by up to a
factor of 102!
• Deploying DANE reduced attack surfaces by as much as a factor of 103!
DNSSEC (alone) makes a huge difference!
Max! Average! Min! Type!1,104.92! 531.68! 309! Actual measured attack surface!40.42! 17.29! 7! Attack surface if sites deployed DNSSEC!10! 7.38! 7! Attack surface if sites deployed DANE!
31 !Verisign Public !
• Attack surface and Availability can be seen as orthogonal concepts!
• One might add additional servers to their deployment, but does this increase their attack surface?!• It might: if any of these servers is able to compromise the
correct operation of the system!• This is why DNSSEC reduces the attack surface over DNS:
secondaries cannot lie!• Conversely, one might find that higher redundancy
does not add to attack surface if increasing resources is independent of correctness!
Attack surface vs. Availability!
32 !Verisign Public !
• FPDs may lend nicely to kill chain-analysis!
• Disrupting a step in an FPD can render the rest of the process moot!
• Example: failing in the DNS stage renders following processing useless!
Using FPDs for kill chain analysis!Start
Use poDNS
DNSSEC
Use DNSSEC
object security
Download cert
Check ANY CA verifies
cert
EEcert has
revocation info
Site has DNSSEC
Use poDNS
Use DNSSEC object security
Contact Server(s) for revocation info
Stop
YesNo
Yes No
No
Yes
DNS Resolution
Connect to web server on port 443
WWW / TCP
Web Server Cert
CAs
OCSP/CRL DNSFootprint
TLSEstablish
session key(s)
OCSP/CRLServer(s)
33 !Verisign Public !
• There are lots of systems and protocols that have dependencies!• Many times, these dependencies are non-obvious!
• Nation states need ways to evaluate who and what they depend on so they know their vulnerability!
• Enterprises need ways to know which of their systems have cyclic dependencies!
• With this methodology we hope to offer a tool that lets people start evaluating what systems depend on!
Thoughts going forward…!
34 !Verisign Public !
http://irl.cs.ucla.edu/~eoster/pubs.html!
Our Technical Report!
35 !Verisign Public !
• DANE. https://datatracker.ietf.org/wg/dane/charter/.!• Flame: Massive cyber-attack discovered, Kaspersky Labs researchers
say, !May !2012. !http://www.bbc.com/news/technology-18238326 !• E. Hutchins, M. Cloppert, and R. Amin. Intelligence-Driven Computer
Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains. In Proceedings of the 6th International Con- ference on Information Warfare and Security (ICIW), page 113. ACI, March 2011.!
• E. Osterweil, D. McPherson, and L. Zhang. Operational implications of the dns control plane. IEEE Reliability Society Newsletter, May 2011.!
• V. Ramasubramanian and E. G. Sirer. Perils of transitive trust in the domain name system. In Proceedings of the 5th ACM SIGCOMM conference on Internet Measurement, IMC ’05, pages 35–35, Berkeley, CA, USA, 2005. USENIX Association.!
• W. A. C. Weekly. !DigiNotar SSL certificate com- promise!widens !to !include !security !agencies, !2011 http://
www.computerweekly.com/Articles/2011/09/05/247792/ DigiNotar-SSL-certificate-compromise-widens-to-include-security.htm!
!
Selected References!
Thank You!
© 2012 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners.!